是否可以使 ecryptfs-setup-private 使用 256 位 AES 密钥（而不是默认的 128 位密钥长度）？

简短的回答是“不”。当我写ecryptfs-设置-私有，我选择了一组默认值加密文件系统我认为这对于数百万 Ubuntu 用户来说是合理、安全且可支持的，因为从长远来看，这些用户并不太关心可调参数。这限制了我们必须测试和支持的配置组合的数量。

正如你所注意到的，如果你读过文档并手动挂载，而 Ubuntu 加密私人/家庭功能在任何地方都有一组一致的选项。

此外，布鲁斯·施奈尔建议不要使用 AES256，支持 AES128：

对于新应用程序，我建议人们不要使用 AES-256。AES-128 在可预见的未来提供了足够的安全保障。

嗯，长答案可能是“是的，但要注意失去与 16 字节编码目录的兼容性”。

针对最近的 ecryptfs-utils-104 源应用以下补丁应该可以完成这项工作 - 但是，它只是将硬编码值更改为 32，而没有选择的可能性。但如果它对某些人有用：

diff -ruN ecryptfs-utils-104/README ecryptfs-utils-104-32byte/README
--- ecryptfs-utils-104/README   2014-01-23 19:09:48.000000000 +0100
+++ ecryptfs-utils-104-32byte/README    2015-01-23 05:43:43.206773596 +0100
@@ -278,13 +278,13 @@
 You should get something like this:

 ---
-/secret /secret ecryptfs rw,ecryptfs_sig=deadbeefdeadbeef,ecryptfs_key_bytes=16,ecryptfs_cipher=aes 0 0
+/secret /secret ecryptfs rw,ecryptfs_sig=deadbeefdeadbeef,ecryptfs_key_bytes=32,ecryptfs_cipher=aes 0 0
 ---

 Add ``user'' and ``noauto'' to the mount options:

 ---
-/secret /secret ecryptfs user,noauto,rw,ecryptfs_sig=deadbeefdeadbeef,ecryptfs_key_bytes=16,ecryptfs_cipher=aes 0 0
+/secret /secret ecryptfs user,noauto,rw,ecryptfs_sig=deadbeefdeadbeef,ecryptfs_key_bytes=32,ecryptfs_cipher=aes 0 0
 ---

 Append your edited line to your /etc/fstab file. Now it's time to test
diff -ruN ecryptfs-utils-104/doc/manpage/mount.ecryptfs_private.1 ecryptfs-utils-104-32byte/doc/manpage/mount.ecryptfs_private.1
--- ecryptfs-utils-104/doc/manpage/mount.ecryptfs_private.1 2014-01-23 19:09:48.000000000 +0100
+++ ecryptfs-utils-104-32byte/doc/manpage/mount.ecryptfs_private.1  2015-01-23 05:43:43.206773596 +0100
@@ -29,7 +29,7 @@
   - mount SOURCE onto DESTINATION
   - as an ecryptfs filesystem
   - using the AES cipher
-  - with a key length of 16 bytes
+  - with a key length of 32 bytes
   - using the passphrase whose signature is in ~/.ecryptfs/Private.sig

 The only setuid operation in this program is the call to \fBmount\fP(8) or \fBumount\fP(8).
diff -ruN ecryptfs-utils-104/src/include/ecryptfs.h ecryptfs-utils-104-32byte/src/include/ecryptfs.h
--- ecryptfs-utils-104/src/include/ecryptfs.h   2014-01-23 19:09:48.000000000 +0100
+++ ecryptfs-utils-104-32byte/src/include/ecryptfs.h    2015-01-23 05:43:43.207773542 +0100
@@ -144,7 +144,7 @@
 #define ECRYPTFS_ECHO_OFF 0

 #define ECRYPTFS_AES_BLOCK_SIZE 16
-#define ECRYPTFS_AES_KEY_BYTES 16
+#define ECRYPTFS_AES_KEY_BYTES 32

 #define ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME "wrapped-passphrase"

diff -ruN ecryptfs-utils-104/src/utils/ecryptfs-recover-private ecryptfs-utils-104-32byte/src/utils/ecryptfs-recover-private
--- ecryptfs-utils-104/src/utils/ecryptfs-recover-private   2014-01-23 19:09:48.000000000 +0100
+++ ecryptfs-utils-104-32byte/src/utils/ecryptfs-recover-private    2015-01-23 05:43:43.207773542 +0100
@@ -101,12 +101,12 @@
        1)
            mount_sig=$(echo "$sigs" | head -n1)
            fnek_sig=
-           mount_opts="$opts,ecryptfs_sig=$mount_sig,ecryptfs_cipher=aes,ecryptfs_key_bytes=16"
+           mount_opts="$opts,ecryptfs_sig=$mount_sig,ecryptfs_cipher=aes,ecryptfs_key_bytes=32"
        ;;
        2)
            mount_sig=$(echo "$sigs" | head -n1)
            fnek_sig=$(echo "$sigs" | tail -n1)
-           mount_opts="$opts,ecryptfs_sig=$mount_sig,ecryptfs_fnek_sig=$fnek_sig,ecryptfs_cipher=aes,ecryptfs_key_bytes=16"
+           mount_opts="$opts,ecryptfs_sig=$mount_sig,ecryptfs_fnek_sig=$fnek_sig,ecryptfs_cipher=aes,ecryptfs_key_bytes=32"
        ;;
        *)
            continue
diff -ruN ecryptfs-utils-104/src/utils/ecryptfs-setup-private ecryptfs-utils-104-32byte/src/utils/ecryptfs-setup-private
--- ecryptfs-utils-104/src/utils/ecryptfs-setup-private 2014-01-23 19:09:48.000000000 +0100
+++ ecryptfs-utils-104-32byte/src/utils/ecryptfs-setup-private  2015-01-23 05:43:43.208773488 +0100
@@ -13,7 +13,8 @@
 TEXTDOMAIN="ecryptfs-utils"
 MESSAGE="$(gettext 'Enter your login passphrase')"
 CIPHER="aes"
-KEYBYTES="16"
+KEYBYTES="32"
+SIGBYTES="16"
 FNEK=

 # Zero out user-defined GREP_OPTIONS, such as --line-number
@@ -97,7 +98,8 @@
    bytes=$1
    # Pull $1 of random data from /dev/urandom,
    # and convert to a string of hex digits
-   od -x -N $bytes --width=$bytes /dev/urandom | head -n 1 | sed "s/^0000000//" | sed "s/\s*//g"
+   # od -x -N $bytes --width=$bytes /dev/urandom | head -n 1 | sed "s/^0000000//" | sed "s/\s*//g"
+   dd if=/dev/urandom bs=$[$bytes*3/2] count=1 status=none | base64
 }

 filename_encryption_available() {
@@ -393,7 +395,7 @@
    error "$(gettext 'Could not add passphrase to the current keyring')"
 fi
 sig=`echo "$response" | grep "Inserted auth tok" | sed "s/^.*\[//" | sed "s/\].*$//"`
-if ! echo "$sig" | egrep -qs "^[0-9a-fA-F]{$KEYBYTES,$KEYBYTES}$"; then
+if ! echo "$sig" | egrep -qs "^[0-9a-fA-F]{$SIGBYTES,$SIGBYTES}$"; then
    error "$(gettext 'Could not obtain the key signature')"
 fi
 temp=`mktemp`
diff -ruN ecryptfs-utils-104/src/utils/mount.ecryptfs_private.c ecryptfs-utils-104-32byte/src/utils/mount.ecryptfs_private.c
--- ecryptfs-utils-104/src/utils/mount.ecryptfs_private.c   2014-01-23 19:09:48.000000000 +0100
+++ ecryptfs-utils-104-32byte/src/utils/mount.ecryptfs_private.c    2015-01-23 05:43:43.208773488 +0100
@@ -47,7 +47,8 @@
  * by the system administrator (or user?) at run time.  For now, these are set
  * to reasonable values to reduce the burden of input validation.
  */
-#define KEY_BYTES 16
+#define SIG_BYTES 16
+#define KEY_BYTES 32
 #define KEY_CIPHER "aes"
 #define FSTYPE "ecryptfs"
 #define TMP "/dev/shm"
@@ -159,13 +160,13 @@
    sig[0] = NULL;
    sig[1] = NULL;
    for (i=0; i<2; i++) {
-       if ((sig[i] = (char *)malloc(KEY_BYTES*sizeof(char)+2)) == NULL) {
+       if ((sig[i] = (char *)malloc(SIG_BYTES*sizeof(char)+2)) == NULL) {
            perror("malloc");
            goto err;
        }
-       memset(sig[i], '\0', KEY_BYTES+2);
-       /* Read KEY_BYTES characters from line */
-       if (fgets(sig[i], KEY_BYTES+2, fh) == NULL) {
+       memset(sig[i], '\0', SIG_BYTES+2);
+       /* Read SIG_BYTES characters from line */
+       if (fgets(sig[i], SIG_BYTES+2, fh) == NULL) {
            if (i == 0) {
                fputs("Missing file encryption signature", stderr);
                goto err;
@@ -187,7 +188,7 @@
                sig[i][j] = '\0';
            }
        }
-       if (strlen(sig[i]) > 0 && strlen(sig[i]) != KEY_BYTES) {
+       if (strlen(sig[i]) > 0 && strlen(sig[i]) != SIG_BYTES) {
            fputs("Invalid hex signature length\n", stderr);
            goto err;
        }
@@ -489,7 +490,7 @@
  *  - mounts ~/.Private onto ~/Private
  *    - as an ecryptfs filesystem
  *    - using the AES cipher
- *    - with a key length of 16 bytes
+ *    - with a key length of 32 bytes
  *    - and using the signature defined in ~/.ecryptfs/Private.sig
  *    - ONLY IF the user
  *      - has the signature's key in his keyring
diff -ruN ecryptfs-utils-104/tests/lib/etl_funcs.sh ecryptfs-utils-104-32byte/tests/lib/etl_funcs.sh
--- ecryptfs-utils-104/tests/lib/etl_funcs.sh   2014-01-23 19:09:48.000000000 +0100
+++ ecryptfs-utils-104-32byte/tests/lib/etl_funcs.sh    2015-01-23 05:43:43.209773433 +0100
@@ -32,7 +32,7 @@
 default_ext2_opts="user_xattr,acl"
 default_ext3_opts="user_xattr,acl,commit=600,barrier=1,data=ordered"
 default_btrfs_opts="nodatacow"
-default_mount_opts="rw,relatime,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_sig=\${ETL_FEKEK_SIG}"
+default_mount_opts="rw,relatime,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_sig=\${ETL_FEKEK_SIG}"
 default_fne_mount_opts="${default_mount_opts},ecryptfs_fnek_sig=\${ETL_FNEK_SIG}"

我在谷歌搜索时遇到了这个老问题。为什么不直接使用以下命令呢？

sudo mount -i -t ecryptfs [私有目录] [挂载点] \
-o ecryptfs_sig=[你的签名],ecryptfs_fnek_sig=[你的签名],\
ecryptfs_cipher=aes，ecryptfs_key_bytes=32，ecryptfs_unlink_sigs